It truly is a pity that cyber security is a subject that lags in being appreciated by the public at large: stories making the news always feature big corporations.
Jointly, the very complexity of the problem and its (perceived) distance from the average entrepreneur don’t help small-to-medium sized businesses realize that, while we are online, nobody is really risk-proof.
Just to mention a comple ox instances: the person who has curated the migration of our accountancy to the cloud has a relative running a farm holidays, whose documents were compromised in an attack in the late summer of 2020, causing the loss of all the data and a ransom request worth several thousands of € in Bitcoin. The same fate touched a local hotel we know, which was asked a 10k € ransom in Bitcoin.
This is a problem subject to a fundamental informational asymmetry: since we are not reacting to a problem which already happened, but we are trying to prevent it, it is necessary to engage in a proactive imagination effort for the investor who has not experienced direct damage on his skin yet, but is trying to learn from other people’s mistakes: unfortunately, this is not what the human mind evolved to do best.
Here at Dentoni, our commitment has always been to guarantee the smoothest possible services for our customers. In the digital age, while our business is experimenting with an expansion through our new e-commerce platform, this implies taking care of the safety of their digital data, beside our company’s and our suppliers’ as well.
It is thus the perfect opportunity to resume the cyber security innovations put into place upon our initiative, in cooperation with Dr. Graziano Albanese, beginning in December 2020, beside listing a sequence of simple precautions which, is carefully, go a long way into improving the risk-resilience of a network and, as a consequence, into making everybody sleep better.
Cyber Security measures in place since January 2021
A.1 EXTERNALIZATION OF CRYPTOGRAPHIC ATTACK RISK
Ransomware is based on a simple idea: a malware (malicious computer program) created by the attacker (whom we’ll refer to as hacker from now on) infiltrates the victim’s device and encrypts the data through a procedure, called cryptographic algorithm which, without a key which can reverse the procedure, makes the encrypted data unserviceable. Typically, following a successful attack, the hacker contacts the victim (anonymously, to be sure) asking her to pay a ransom via cryptocurrency transfer.
In other words, if the hacker runs the encrypting algorithm, there are two ways out, beside the payment of the ransom:
- Restoring a posteriori a data backup on a system which is independent of the attacked machine
- Pre-emptive migration of sensitive data to the platform of another provider who is reliable enough on the cyber security side.
Here at Dentoni we have enacted both security measures, implying the following
B.1 RANSOMWARE RISK MITIGATION MEASURES
- All accountancy and administration documents are now performed in the cloud, particularly on the servers hosting the Microsoft 365 service. As long as it is true that even giants of the like of Microsoft are constantly attacked by hackers, that’s sort of counterbalanced by their constant effort to invest in cyber security, beside -from the point of view of a small company like us- that the risk of having our data compromised is diluted among thousands of companies like us whose data are hosted on the same servers. On top of that, Microsoft periodically creates frequent backup copies, which are then spread across multiple servers, so as to reduce practically to naught the risk of permanent data loss.
- Email filtering: all the electronic mail addressed towards our dominion is filtered by Microsoft servers using the Exchange Online Protection protocol. Microsoft servers constantly scan the messages we exchange with the outer world through their machine learning algorithms to detect the potential presence of attachments hosting ready-to-be-deployed malware. Any suspect is then promptly inhibited by our email client.
- Data backup in the cloud, together with images of the OS running on the cash registers server, are performed daily on the server of another provider other than Microsoft, so as to prevent the unlikely event that the loss of the data hosted by the first provider or the arrest of the cash register system caused by an attack can be restored within the space of a few minutes, preventing -this is a cornerstone- the protracted halt of the sales activity, of particular concern, especially in highly crowded moments.
- Microsoft Defender antivirus installation on every company device, including personal computers belonging to the people who interact the most with the company networks for work-related purposes. Defender is configured with additional settings to limit the span of the actions that can be executed on such computers. This is called host hardening and the service employed to ensure compliance with security policies is Microsoft Intune, according to a model called cloud-managed endpoints.
- Using complex passwords, generated and periodically updated through a password manager, beside double factor authentication.
Simple passwords, with a few characters or having a clear meaning in the mother tongue or easily traceable back to the person employing them, are unbelievably easy to discover through dedicated programs, the so called password crackers.
On the other hand, complex passwords including uppercase and lowercase letters, numbers and symbols are had to remember for a human being. This is made up for by dedicated services (password managers), which store a user’s passwords on its remote servers. Hacking their servers does not compromise the safety of our passwords, because the same are hosted in an encrypted form and they can only be decrypted by a program installed inside the instance of the password manager on the user’s computer.
Passwords can be compromised through phishing and credential dumping attacks. In the former, the user gives the password away to a hacker performing a social engineering manipulation; in the latter the hacker, after gaining access to a company’s device, is in a position to steal the passwords stored in it.
Tese risks are partially taken care of by double factor authentication, i.e. the protocol by which the authorization to access a sensitive website is granted only if, beside typing the right password, the provider’s server receives confirmation through a third device, belonging to the very same user trying to access the service. The third device, typically a smartphone, generates 6-digits codes evenly spaced in time which are in one-to-one correspondence with those generated on the provider’s server.
This way, in order for the hacker to succeed in the attack, he/she needs to hack not one, but two devices. This is not an impossible feat (almost nothing is impossible), but it is by far more unlikely.
A.2 PRIVATE NETWORKS PENETRATION RISK
A hacker could exploit the customers’s network to penetrate the private company network. This is the same path a virus may take, if present on the computer of a person external to the company who is given/obtains the private network’d WiFi password.
B.2 PRIVATE NETWORKS PENETRATION RISK MITIGATION MEASURES:
FIREWALL AND HUMAN PRECAUTIONS
The solution to the first problem above is the brand new firewall we have recently installed, which compartmentalizes the private and public networks. The second measure cannot be but a collective precaution, from our side, to never share it with external users: there are no human-stupidity-proof protocols, to the best of our knowledge.
A.3 RESILIENCE: IF AN INTERNET PROVIDER GOES DOWN
We used to have one unique internet service provider, for both of our networks. This implies a problem: if the provider has any technical trouble providing its service in a given area, whoever is in the area loses its internet connection. If this had happened to our own provider in the past months, the total lost of connectivity would have impacted us as well. To guarantee this service, it is important to diversify providers and to set up a system enabling the company to switch public and private network providers (the latter having, for obvious reasons, higher priority) in the event of such an accident.
A.4 MONITORING: WHAT IS IT FOR AND WHY WE DID NOT IMPLEMENT IT
Monitoring is the most expensive and complex cyber security service. It is about installing on the company’s computers programs which are constantly connecting data and metadata about the programs running on them, looking for anomalous behaviour patterns and, if the latter are detected, prompting the user to pay due attention.
It is a measure that comes into play in a later stage of an attack deployment, so it has little to do with prevention.
In a nutshell, monitoring makes sense only if a person in the company constantly takes care of reviewing the generated reports. At our level, such a person could only possibly be one of us, so that the investment makes no sense in itself.
This does not imply that, on the wake of the increasing improvement of Artificial Intelligence based systems, products will grow as to the automation level, with simultaneously decreasing costs.
Conclusions
With this article, we hope we have conveyed why we attribute to cyber security: the importance to adhere to strict security measures does not stem from the probability that something bad happens, but from the prospective damage that would ensue from something bad happening for real. We also hope, beside that, to have conveyed how seriously we take the security of digital data, whether ours or our customers’s.
Mirko and Franz
A cursory overview of the sources which inspired us to begin our cyber security project.
Personal communications with experienced people were equally, if not more, precious.
- Edward Snowden, Permanent Record, Pan MacMillan 2019
- Susan Sons et al., The Information Security Practice Principles,
- Center for applied Cyber security Research, Indiana University: https://cacr.iu.edu/principles/index.html
- Susan Sons, Postmortem, Linux Journal, 25/07/2017
- Susan Sons, Example Security Exercises, Linux Journal 11/11/2016
- Matthew Holland, Zero Day @The_Knowledge_Project by Farnam Street